Fix heap overflow when loading a PSD. bug 36368305
Change-Id: Ia4480bcc9d06c80c4ccfb8b59d7ad1cf313d3479
Fix: 36368305
Bug: 36368305
Test: non-applicable
(cherry picked from commit 839cb7ebd84ed02ce52847da5275ab27d7515c79)
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h
index d91b308..a9d338a 100644
--- a/gdx/jni/gdx2d/stb_image.h
+++ b/gdx/jni/gdx2d/stb_image.h
@@ -5228,6 +5228,10 @@
} else if (len < 128) {
// Copy next len+1 bytes literally.
len++;
+ if (len >= pixelCount - count) {
+ STBI_FREE(out);
+ return stbi__errpuc("corruptfile", "Corrupt PSD file");
+ }
count += len;
while (len) {
*p = stbi__get8(s);
@@ -5241,6 +5245,10 @@
len ^= 0x0FF;
len += 2;
val = stbi__get8(s);
+ if (len >= pixelCount - count) {
+ STBI_FREE(out);
+ return stbi__errpuc("corruptfile", "Corrupt PSD file");
+ }
count += len;
while (len) {
*p = val;